Apr 26 2012

No-fly case goes forward against Feds, while SFO pays through the nose for false arrest of traveler

We’ve noted previously that, as the DHS increasingly relies on state and local law enforcement officers and private contractors to carry out its extrajudicial “no-fly”, search, and surveillance orders, those individuals and their employers face a growing risk of liability for their actions against travelers.

Case in point: Ibrahim v. DHS et al.

We’ve reported previously on some of the earlier stages in this case, originally filed in 2005 by a Malaysian architect, then a doctoral candidate at Stanford University and today (having received her Ph.D. from Stanford in absentia) a professor and Dean of the Faculty of Design and Architecture at UPM in Malaysia.  When she tried to check in at San Francisco International Airport (SFO) for a flight back to Malaysia to give a presentation about her Stanford research, she was arrested by SFO airport police (a branch of the San Francisco police force) on the direction of a private contractor who answered the phone at the TSA’s Transportation Security Operations Center (since renamed — we are not making this up — the “Freedom Center”).  She was told she was on the “no-fly” list, but was allowed to fly home to Malaysia the next day, after which her US student visa was revoked.

Through her lawyers in the US, Ibrahim sued the various Federal agencies involved in no-fly decisions; their individual officials, employees, and contractors; and the San Francisco city and county, airport, police department, and individual police officers, for violations of her 1st and 5th Amendment rights.

The case has a had a tortured procedural history. After seven years, there has been no discovery, fact-finding, or rulings on any of the substantive issues. The case has, however, survived a series of District Court rulings and two appeals to the 9th Circuit Court of Appeals, first in 2008 on which, if any, Federal court (district or circuit, in San Francisco or DC) had jurisdiction to hear the case, and then in February 2012 on whether Dr. Ibrahim had standing, as a non-US citizen now residing (involuntarily) outside the US, to bring her Constitutional claims in US courts.

The latest ruling by the 9th Circuit in Ibrahim v. DHS, which allows the case against the government and its agents to go forward, is significant for its rejection of several of the Federal government’s key arguments against judicial review of no-fly decisions:

Read More

Apr 25 2012

European Parliament approves PNR agreement with the US. What’s next?

[MEPs picket outside the plenary chamber to ask their colleagues to say “No” to the PNR agreement with the US. (Photo by greensefa, some rights reserved under Creative Commons license, CC BY 2.0)”]

Last week — despite the demonstration shown above (more photos here) by Members of the European Parliament as their colleagues entered the plenary chamber for the vote — the European Parliament acquiesced, reluctantly, to an agreement with the US Department of Homeland Security to allow airlines that do business in the EU to give the DHS access to PNR (Passenger Name Record) data contained in their customers’ reservations for flights to or from the USA. (See our FAQ: Transfers of PNR Data from the European Union to the USA.)

The vote is a setback for civil liberties and the the fundamental right to freedom of movement, in both the US and Europe.

But the vote in the European Parliament is neither the definitive authorization for travel surveillance and control, nor the full grant of retroactive immunity for travel companies that have been violating EU data protection rules, that the DHS and its European allies had hoped for.

Many MEPs voted for the agreement only reluctantly, in the belief (mistaken, we believe), that it was “better than nothing” and represented an attempt to bring the illegal US surveillance of European travelers under some semblance of legal control.

Whatever MEPs intended, the vote in Strasbourg will not put an end to challenges to government access to airline reservations and other travel records, whether in European courts, European legislatures, or — most importantly — through public defiance, noncooperation, and other protests and direct action.

By its own explicit terms, and because it is not a treaty and is not enforceable in US courts, the “executive agreement” on access to PNR data provides no protection for travelers’ rights.

The intent of the US government in negotiating and lobbying for approval of the agreement was not to protect travelers or prevent terrorism, but to provide legal immunity for airlines and other travel companies — both US and European — that have been violating EU laws by transferring PNR data from the EU to countries like the US.  The DHS made this explicit in testimony to Congress in October 2011:

To protect U.S. industry partners from unreasonable lawsuits, as well as to reassure our allies, DHS has entered into these negotiations.

But because of the nature of the PNR data ecosystem and the pathways by which the DHS (and other government agencies and third parties outside the EU) can obtain access to PNR data, the agreement does not provide travel companies with the full immunity they had sought.

Most of the the routine practices of airlines and travel companies in handling PNR data collected in the EU remain in violation of EU data protection law and subject to enforcement action by EU data protection authorities and private lawsuits by travelers against airlines, travel agencies, tour operators, and CRS companies in European courts.

Why is that?

Read More

Mar 07 2012

All US police to get access to international travel records?

This just in from the “All international travelers are suspected terrorists” department:

In response to questions (see the video at approx. 37:00-38:30) from members of a House Homeland Security subcommittee during a hearing yesterday, DHS Deputy Counter-Terrorism Coordinator John Cohen said that, as part of the Orwellianly-named “Secure Communities” program, local police will soon be receiving the result of a check of DHS international travel logs, automatically, for every person arrested anywhere in the US for even a minor offense. Local police will be able to run checks of travel records for “nonoffenders” — innocent people — as well.

According to one report:

Under the forthcoming plan, authorities will be able to instantly pull up an offender’s or nonoffender’s immigration records and biometric markers, he said. The government already is able to vet visitor records from multiple databases for national security and public safety threats, Cohen added.

“So, today, if someone is arrested for any type of offense, part of the query that will take place will be an automatic check of immigrations systems — it will be a check of TECS as well,” he said. “The chances are greatly enhanced that today if somebody were to be booked on a minor drug offense or a serious traffic violation even, the person’s immigration status would come to our attention.”

Here’s what the result of a TECS check might look like: logs of (legal) international travel, and notes from customs inspectors about whatever events they considered noteworthy (again, including events that were entirely legal).  We got these linked examples before DHS exempted TECS from most of the access requirements of the Privacy Act. You no longer have any legal right in the US to find out what’s in the TECS records about yourself. And while TECS was being described to Congress as an immigration enforcement system, these examples are from TECS records about a US citizen. Logs are kept in TECS of everyone who travels to, from, or via the US — even US citizens.

TECS used to include complete airline reservations (Passenger Name Records). PNR data has been re-categorized as a separate DHS system of records, the “Automated Targeting System”. But TECS records include the traveler’s name and the airline code, flight number, and date of each flight, which is sufficient information to retrieve the complete PNR from the airline or the computerized reservation system (CRS) that hosts it. This airline data is obtained from APIS transmissions, which the US has claimed to the European Union are used only for a narrow range of purposes.

Soon, it will be as easy for any local law enforcement officer anywhere in the US to run a “TECS check” of these records about you as it is today for them to run a check of your criminal record from NCIC. Except that the records in TECS are records of your exercise of First Amendment rights of freedom of assembly, not records of criminal convictions.

Or should we be asking if the DHS now thinks that foreign travel has become tantamount to a crime?

Mar 05 2012

New questions from European Parliament about “bypass” of EU-US agreement on PNR

Important new questions about how the US government can bypass the proposed EU-US agreement on access to PNR data have been asked by a key Member of the European Parliament.

These new questions by MEP Sophie in ‘t Veld (the Europarl “rapporteur” or floor leader on the proposed PNR agreement) follow up on evasive, misleading, and incomplete responses by European Commissioner Cecilia Malmström’s to previous questions from MEPs about PNR data.

The proposed EU-US agreement would pertain only to DHS copies of PNR data obtained directly from airlines, but would not regulate the master copies of PNRs held by Computerized Reservation Systems (CRSs) such as Sabre, Galileo/Apollo by Travelport, Worldspan by Travelport, and Google in the US or Amadeus in Europe (each of which is used by travel companies in the US, EU, and other countries).

Two sets of questions (here and here) about US government access to CRS databases of PNRs were tabled today by MEP in t’ Veld, with a request that the European Commission respond before the LIBE Committtee of the EP vote on the proposed EU-US agreement, currently scheduled for March 27th.

The first set of these questions focuses on US government access to PNR data held on servers in the US (such as whenever a European travel agency or tour operator uses one of the US-based CRSs).

The second set of questions concerns the ways that US law allows the US government to bypass the proposed agreement and obtain PNR data through CRS offices in the US — even when the data is stored on servers in the EU:

US access to PNR data in Computer Reservation System Amadeus II

Computer Reservation System Amadeus has its headquarters in Madrid (Spain) and its central database in Erding (Germany). Additionally, it has several offices outside the EU, including an office in Miami, in US jurisdiction. All Amadeus offices around the world have access to the PNR data base in Erding.

  1. Is the Commission aware that the US authorities may retrieve PNR data stored in Europe (Erding) through the Amadeus office in the US, for example by using National Security Letters? Is the Commission aware that such retrievals are not being logged, and that Amadeus may be sworn to secrecy by the US authorities?
  2. Does the Commission consider this would allow the US authorities to get access to PNR data, at least on an ad hoc basis, at any given moment? Does the Commission agree that this is not only equivalent to the PULL method, but that it even exceeds PULL, as it allows for the retrieval of all PNR data, not just the fields specified in the EU-US Agreement, without the obligation to log the retrievals? Does the Commission agree that this leaves the clauses on PUSH and PULL and logging, in the EU-US agreement completely meaningless in practice?
  3. Does the Commission agree that data retrieved by the authorities of a third country from an EU located data base would constitute a transfer of data to a third country? Is the Commission aware if Amadeus or similar CRS are keeping logs of such retrievals? If not, does the Commission consider that such retrievals are a violation of EU data protection rules?
  4. If no logs are being kept of the retrievals described above, would the Commission agree that citizens would have no means to exercise their rights to verify and correct their data?
  5. Can the Commission provide an overview of other Computer Reservation Systems with a presence in the US, that would be in the same position as Amadeus? Can the Commission provide an overview of PNR data stored in Europe by CRS, that are thus available to third countries other than the US?

We’ve been asking exactly these questions for years, and we’re pleased to see that MEPs are demanding answers from the European Commission before they vote on an agreement that, in fact, would do little to reign in the US government’s demands to PNR data because it could so easily be bypassed.

Some of these questions are easily answered, although the EC may not want to admit the answers.

EU-based airlines including KLM, Air France, and Lufthansa have each told us, in response to our requests for access to our PNR data, that Amadeus has no logs of who has accessed our PNRs. And in response to our lawsuit seeking access to PNR data held by DHS, the US government has claimed that it has no logs of who has accessed the DHS copies of PNRs with information about us.

We presented diagrams of the information architecture of the PNR data ecosystem, and the pathways for PNR data flows which bypass the EU-US agreement, in our testimony to MEPs in Brussels in 2010. A representative of the EC attended and spoke on the same panel with us at that hearing, so the Commission can’t claim that they were unaware of these issues. We also explained this bypass pathway in our FAQ on Transfers of PNR Data from the EU to the USA, which was first distributed to MEPs in 2010 and which we’ve just updated and re-posted.

The possibility for the US government to bypass the EU-US agreement and obtain PNR data directly from CRS servers or offices in the US was also explicitly raised by the US government in its negotiations with European governbments.  European authorities, including the German data protection commissioner and chair of the Article 29 working party, have been fully aware of the US ability to bypass the agreement in this way since at least 2006, when the US pointed this bypass channel out to European authorities.

Many of the US diplomatic cables made public by Wikileaks relate to US access to PNR data. Perhaps the most interesting of these PNR-related Wikileaks cables was sent to Washington from the US Embassy in Berlin on  October 31, 2006. This cable reports on two days of meetings between Assistant Secretary (“A/S”) of Homeland Security Stewart Baker  — the chief drafter and negotiator for the US of the original PNR agreements — and various German government officials. (Baker’s own self-serving account of these meetings is included in his memoir, Skating on Stilts, which he has kindly made available for free download.

But Baker’s account omits some of what he reported to his bosses in Washington:

A/S Baker warned that in many cases the actual airline databases reside in the United States, and the airlines of many EU countries do not have flights to the United States, and so in this light, from the U.S. perspective, it was difficult to see why an EU government and parliament should have any influence on the access of U.S. agencies to data in the United States.

This is why the DHS recently testified to Congress that the reason for the proposed agreement was to “To protect U.S. industry partners from unreasonable lawsuits.” The US government doesn’t need any “agreement” with the EU to obtain PNR data collected in the EU, as long as EU travel companies continue to outsource the storage of PNR data to CRSs based in, or with offices in, the US.

It’s also important to note that the DHS referred to the need to “protect U.S. industry partners”, not European companies. The US govenrment doesn’t care whether European companies comply with European law, or are disadvantaged by US law. the US government wants to protect US companies that are at risk of liability for violating EU law.

Who are those companies? Clearly, the principal violators of EU law in this case are the US-based CRSs, which shouldn’t be allowed to operate or serve travel agencies, tour operators, or airlines in the EU unless they comply with EU law — which they don’t.

It’s not illegal to transfer PNR data from a travel agency in the EU to a CRS in the US. but it is illegal to do so without being able to ensure that the data transferred will be protected, and without the knowledge or consent of the data subject.

No travel agency or tour operator in the EU ever says to a customer, “Is it OK if I store your PNR for this flight from Berlin to Brussels on a server in Denver (or Dallas)?” But that’s what happens whenever a Sabre or Travelport subscriber in the EU makes a reservation, regardless of whether the itinerary involves any destination in the US. And that’s the question any such travel agency is required to ask, under current EU data protection laws, before they can outsource their customers’ data to the US.

The fact that this practice is flagrantly illegal, but so widespread, is one of the clearest examples of the failure of EU authorities and the so-called “Safe Harbor” scheme to protect the personal information of either European or US travelers.

We hope to see these issues addressed not just by the EC and the European Parliament, in response to MEP in ‘t Veld’s questions, but also by EU policy-makers reviewing “Safe Harbor” and the protection of personal data stored by “cloud services” (of which CRSs are one of the first examples).

We’ve been invited to attend the EC’s trans-Atlantic conference on Privacy and Protection of Personal Data later this month, and hope to raise these issues there and see them made part of the ongoing review of “Safe Harbor”, the EU Data Protection Directive, and privacy policy for cloud services.

Mar 01 2012

Google is now in the PNR hosting business

Today Google and Cape Air announced that Cape Air has migrated its reservations and Passenger Name Records (PNRs) to a new computerized reservation system (CRS) provided by Google’s ITA Software division.

ITA Software was working on a CRS even before it was acquired by Google last year, but had appeared to lack a launch customer to fund the project after its original partner, Air Canada, backed out. In his first public statement last November after the Google acquisition was completed, Google Vice President and former ITA Software CEO Jeremy Wertheimer anticipated today’s announcement and said that with Google’s new backing, his division was “burning the midnight oil” to complete the project.

Cape Air, Google’s CRS launch customer, is a very small US airline that mainly flies 9-seat piston-engined propeller planes to small resort islands. Most of what might look like “international” destinations on their route map are actually US colonies. But Cape Air does serve some British colonies in the Caribbean, including Anguilla and Tortola. All reservations for those flights, as well as any reservations for Cape Air’s domestic US and other flights made through travel agencies, tour operators, or “interline” airline partners in the European Union, are subject to EU data protection laws.

So as of today Google should have in place an airline reservation system, including PNR hosting functionality, which fully complies with EU laws including in particular UK data protection law and the EU Code of Conduct for Computerized Reservation Systems.

We’re doubtful that Google (or Cape Air) have complied with these requirements of EU law. Cape Air’s privacy policy says, “CapeAir does not fly routes within Europe, so this Privacy Policy is not adapted to European laws.” It appears to be true that Cape Air doesn’t fly within Europe, but it does operate flights to and from UK territories that are legally part of the EU. Cape Air also says, “By agreeing to Cape Air’s Privacy Policy, you consent to Cape Air applying its Privacy Policy in place of data protections under your country’s law.” It’s not clear whether such a waiver of rights is valid. The “Privacy Policy” link  on ITAsoftware.com goes directly to Google’s new global privacy policy, which appears to say that Google may merge information from all Google services, presumably including Google’s new PNR-hosting service.

At the same time, in accordance with the Advance Passenger Information System (APIS) and PNR regulations of US Customs and Border Protection (CBP, a division of the DHS), that also means that Google has connected its system to CBP’s Automated Targeting System (ATS).  Whether Google has given CBP logins to “pull” data whenever CBP likes (as the other CRSs have done), or whether Google “pushes” PNR data to CBP, remains unknown until some Cape Air passenger requests their PNR data under EU law.

In accordance with the US Secure Flight rules, the Google CRS for Cape Air must also have a bi-directional connection to the US Transportation Security Administration to send passenger data to the TSA and receive permission-to-board (“cleared”) fly/no-fly messages in response.

This is, so far as we can tell, an unprecedented level of direct connection between Google’s databases and any government agency.  Has Google complied with EU law? Probably not, but we can’t tell. We invite Google to allow independent verification of how it handles PNR data, and whether its CRS system and its connections to the US government comply with EU rules.

[It’s also important to note that the privacy and data protection practices of CRSs, including Google’s “ITA Software” division, are outside the jurisdiction of the Federal Trade Commission and subject to policing only by the do-nothing Department of Transportation.]

There are also interesting questions about what profiling and data mining capabilities are built into Google’s CRS system. “Legacy” CRSs store PNRs in flat files in which PNRs for different trips by the same traveler can be difficult to link. But a report on the new Google CRS in the online trade journal Tnooz says it “enables … call center agents ‘to see customers’ history,’ including past trips and upcoming flights, ‘right in front of them’.” Greater designed-in profiling and data mining capabilities are selling points of Google’s CRS compared to its “legacy” competitors.

EU oversight and enforcement bodies should have demanded answers as well. Last May the European Parliament approved a resolution calling on the European Commission to carry out, “an analysis of … PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.” In November, shortly after Google’s announcment that they were moving forward with their CRS project, a Member of the European Parliament submitted written follow-up questions to the Commission as to whether the EC has conducted such an analysis, as well as whether the EC has “considered the technical or policy implications of potential new CRS providers such as Google, which may use different technology platforms from those of legacy CRS vendors?”

As we’ve noted, the “response” to these questions by Commission Cecilia Malmström said nothing about Google or other new CRS providers, contradicted the statements that have been made by European airlines, and largely ignored the issues raised by the European Parliament.

Cape Air is a small first step into the CRS industry by Google, but it won’t be the last.  Everyone concerned with how PNR data is stored and processed, including data protection authorities in countries that (unlike the US) have such entities, should carefully scrutinize and demand satisfactory, verifiable answers as to what this means about Google’s relationship to US government agencies and the need for oversight and enforcement of privacy data protection rules applicable to all CRS companies.

Feb 16 2012

European Commissioner responds to Parliamentary question on CRSs

As we’ve noted previously, members of the European Parliament have been exercising their right to question the European Commission about the proposed agreement negotiated by the EC with the USA to give travel companies partial immunity from EU privacy law when they open their reservation (“PNR“) databases to the US Department of Homeland Security.

Numerous written questions about the proposed PNR agreement have been posed by MEPs, and answers from the Commission have been trickling in, although often later than the 6-week deadline in Parliament’s rules.

The most interesting of these questions and answers is one about the “Implications for the EU-US PNR agreement on computerised reservation systems, including new CRS providers such as Google“:

Read More

Feb 06 2012

Yet another US citizen denied their right of return

In the latest variation on what has become a depressingly-familiar theme, US citizen Jamal Tarhuni was denied boarding on a flight home to the USA last month, apparently because while he was abroad the US government put him on the list of those people it has secretly ordered airlines not to transport.

Mr. Tarhuni had been working in Libya for a nonprofit relief agency.  He is now trapped in Tunisia, separated from his home and family in the USA, as he discusses in this Skype video interview.

My Tarhuni’s de facto banishment from the USA is especially disturbing in light of reports that before being naturalized as a US citizen he was granted asylum in the USA in the ’70s. While conditions may  have changed, a grant of asylum means that Mr. Tarhuni has already established, to the satisfaction of US authorities, that he had a well-founded fear of persecution if he were forced to return to the country of his original citizenship. That makes it, we think, especially critical that the US allow him to return home before his permission to remain in Tunisia expires and he risks being deported to some other country of non-refuge.

It’s one more case for the UN Human Rights Committee to ask questions about when it conducts its next review of US (non)compliance with the International Covenant on Civil and Political Rights: “Everyone has the right to leave any country, including his own, and to return to his country.”

[Update: Jamal Tarhuni is not alone. MSNBC reports that another US citizen, Mustafa Elogbi, is also trapped in Libya after being denied passage on a connecting flight from London to the US, and returned to Libya, where his flights has originated (not the country of his citizenship, the USA) after being detained and interrogated in London.  “Elogbi and Tarhuni have booked new tickets and are scheduled to board a flight back to the United States on Feb. 13, arriving in Portland on Feb. 14. Their Portland attorney Tom Nelson is traveling to the region so he can accompany them on the flight. The two men do not know whether they are included on the U.S. government’s secret no-fly list. As per government security policy, the FBI will not confirm or deny it. … Thus they do not know if they will be prevented from boarding in Tunis, or in Paris or Amsterdam, where they change planes.”]

Feb 06 2012

KLM wants you to make the DHS your friend on Facebook

Getting the jump on airline “social seating” startups like SeatID.com, KLM launched a new Meet & Seat service last Friday that allows passengers on certain flights (including some to and from the USA) to make portions of their Facebook and /or LinkedIn profiles available for viewing by fellow passengers — who, presumably, might want to use that profile data to determine whether to sit (or avoid sitting) near a friend, enemy, target of identity theft, someone on whom they want to eavesdrop, someone they are stalking, or someone matching other criteria.

There’s no mention in the terms and conditions for the “Meet & Seat” service of what data is actually imported into KLM’s systems, or where it is stored.

We asked KLM’s US-based publicists about this on Friday when we got the launch announcement. They first referred us to this webpage (which doesn’t mention privacy or data protection or answer our questions), then bounced our query to the p.r. department at their corporate headquarters in Amsterdam. They didn’t respond to our e-mail messages or answer their phone today.

Specifically, we asked KLM:

Does a passenger provide their password to KLM to retrieve info from their Facebook or LinkedIn profile, or authorize KLM to do so as a Facebook app? What’s actually stored by KLM (Facebook user ID? password? authorization code for the app? data retrieved from Facebook), and where (e.g. in the PNR or departure control system)?

The problem is that any data stored in the PNR for a flight to or from the USA is sent to the DHS and included in the passenger’s permanent secret dossier in the DHS Automated Targeting System, for use whenever they travel to or from the USA in the future and for many other purposes. When would-be visitors have already been denied entry to the US based on jokes posted on Twitter, is that what you want to “opt in” to?

PNRs for all KLM flights — not just those to or from the USA — can be retrieved by offices in the USA of KLM, its codeshare partners, and the computerized reservation systems that host those PNRs.

US laws would allow the DHS, FBI, and/or other Federal agencies to require those US offices to retrieve this data, hand it over to the US government, and keep the fact that they had done so secret. KLM has previously claimed, in response to requests for records of whether this has happened, that netiher KLm nor its primary PNR hosting provider Amadeus keep any logs of access to this data, and that it has no agreements with its agents and codeshare partners requiring them to keep such records or to provide them KLM.

If KLM is storing Facebook or LinkedIn data in its departure control system, it won’t automatically be pushed to the DHS, but it will still be retrievable by the US offices of KLM, its codeshare partners, and its ground handling agents — and hence by the DHS and FBI.

It’s theoretically possible that none of this data is stored in PNRs or the DCS, but only in a separate database not accessible from the US.  Unlikely, we suspect, but possible. If so, KLM should say so, and make that an explicit contractual commitment.

Otherwise, anyone who uses “Meet & Seat” may find that whatever information you “share” with fellow passengers is also shared with the DHS, and your ATS file is permanently linked to your Facebook ID even if you later opt out of the KLM social seating service.

If anyone uses KLM’s “Meet & Seat” and subsequently requests their records from KLM under Dutch data protection law, please let us know (in the comments or privately) what you find out. We’ll be happy to help you try to decipher any response from KLM or its agents or contractors.

[Update: Three days after we published this story, KLM responded to our questions that KLM’s “Meet & Seat” is “authorised as a Facebook or LinkedIn app…. No passwords are stored [in the PNR or the Departure Control System], but the basic data that is imported from the Facebook or LinkedIn profile (name, picture, school, company etc.) will be stored by KLM in a separate, secure database. If the passenger wants to update these details, he has to provide his LinkedIn or Facebook details again. The profile details will be deleted automatically 2 days after the last flight in your reservation has been flown. Nothing is stored in the PNR or DCS.”  We’re seeking further clarification as to where this “separate, secure” database is stored, to whom and from where it is accessible, and what privacy and data protection rules and policies it is subject to. And we remain interested in hearing from anyone who has obtained a copy of their KLM “Meet & Seat” records in response to a request under Dutch or other data protection law.]

[Further update from KLM: “Part of our security is not to tell everybody where we store private information.” That appears to violate EU and Dutch data protection rules requiring disclosure of  (1) by whom personal data is processed and (2) to what other countries it is transferred. We’ve asked KLM about this, but haven’t heard back yet.]

Feb 06 2012

State Dept. finalizes passport fee increases, continues to ignore human rights complaints

On February 2, 2012, the State Department published a final rule in the Federal Register setting fees for issuance and renewal of U.S. passports and related consular services.

Contrary to some press reports, this rule didn’t actually increase the current fees. It merely “finalizes” the fee increases that have already been in effect for the last 18 months since the publication of an interim final rule (don’t you love that bureaucratic doublespeak?) in June, 2010.

What’s noteworthy about the “final rule” is that while it purports to include an updated analysis of the public comments on the fee increases, it continues to ignore our complaints that these fees, and the process by which they were adopted, violate both U.S. treaty obligations related to freedom of movement as a human right, and Federal law that requires an assessment of their economic impact on freelancers and other self-employed individuals.

We filed our complaint in the State Department’s designated docket, but also submitted it directly to the Secretary of State with a request that it be forwarded to the State Department’s designated “single point of contact” responsible for insuring that complaints of human rights treaty violations are responded to.

Our complaint of human rights treaty violations isn’t mentioned in the State Department’s analyses of public comments, and we’ve received no acknowledge or response from the Secretary’s office or anyone else at the Department.  Our FOIA request and appeal for records of who the Secretary of State has designated as responsible for responding to such complaints, and what (if anything) they have done with ours, has been pending without even a partial response since July 2011.

Jan 27 2012

Retroactive Privacy Act exemptions could cost a US citizen his life

In his ruling this week in Hasbrouck v. CBP, Judge Seeborg of the US. District Court for the Northern District of California suggested that US citizens have no “rights” that would be prejudiced by applying newly-issued Privacy Act exemption rules to previously-made requests for government records.

But a parallel case currently before the U.S. District Court in DC shows how retroactive application of Privacy Act exemptions can be a potentially life-or-death issue.

Sharif Mobley is a native-born U.S. citizen who was living in Yemen with his wife (also a US citizen) and their two infant children when he was shot and seized by agents of the Yemeni government in January 2010, and taken to a Yemeni hospital in police custody.  He’s been in a Yemeni prison ever since, and needs US government records to defend himself against capital charges.

Read More